3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

rm len

Browse source
This commit is contained in:
Denis Mishin 2025-04-24 19:58:54 -04:00
parent 625c9d4014
commit 74c1a5bbb0
1 changed files with 0 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

13
internal/oauth21/pkce.go
View file

@ -13,18 +13,8 @@ import (
// - storedCodeChallenge: The challenge string stored by the server during the authorization request. // - storedCodeChallenge: The challenge string stored by the server during the authorization request.
// Returns true if the verifier is valid, false otherwise. // Returns true if the verifier is valid, false otherwise.
func VerifyPKCES256(codeVerifier, storedCodeChallenge string) bool { func VerifyPKCES256(codeVerifier, storedCodeChallenge string) bool {
// 1. Calculate SHA256 hash of the code verifier (ASCII representation)
sha256Hash := sha256.Sum256([]byte(codeVerifier)) sha256Hash := sha256.Sum256([]byte(codeVerifier))
// 2. Base64url-encode the hash *without* padding
// Use RawURLEncoding which omits padding.
calculatedChallenge := base64.RawURLEncoding.EncodeToString(sha256Hash[:]) calculatedChallenge := base64.RawURLEncoding.EncodeToString(sha256Hash[:])
// 3. Constant-time comparison
if len(calculatedChallenge) != len(storedCodeChallenge) {
return false
}
// subtle.ConstantTimeCompare returns 1 if equal, 0 otherwise.
return subtle.ConstantTimeCompare([]byte(calculatedChallenge), []byte(storedCodeChallenge)) == 1 return subtle.ConstantTimeCompare([]byte(calculatedChallenge), []byte(storedCodeChallenge)) == 1
} }
@ -35,8 +25,5 @@ func VerifyPKCES256(codeVerifier, storedCodeChallenge string) bool {
// - storedCodeChallenge: The challenge string stored by the server during the authorization request. // - storedCodeChallenge: The challenge string stored by the server during the authorization request.
// Returns true if the verifier is valid, false otherwise. // Returns true if the verifier is valid, false otherwise.
func VerifyPKCEPlain(codeVerifier, storedCodeChallenge string) bool { func VerifyPKCEPlain(codeVerifier, storedCodeChallenge string) bool {
if len(codeVerifier) != len(storedCodeChallenge) {
return false
}
return subtle.ConstantTimeCompare([]byte(codeVerifier), []byte(storedCodeChallenge)) == 1 return subtle.ConstantTimeCompare([]byte(codeVerifier), []byte(storedCodeChallenge)) == 1
} }